2015-06-15 - ANGLER EK FROM 46.4.235[.]3 SENDS BEDEP

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2015-06-15-Angler-EK-traffic.pcap.zip
• 2015-06-15-Angler-EK-malware-and-artifacts.zip

ZIP FILE CONTENTS:

• 2015-06-15-Angler-EK-landing-page.txt (88,524 bytes)
• twain_32.dll (250,784 bytes) - MD5 hash: f41f10b91f447d325ea1bc1b80e26ebd - SHA256: f540018e28a0a7ce4b8a8f391d4e84bf9951d650f7d277e724694baded13e5a1

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 46.4.235[.]3 port 80 - pyhnen.mistresseve[.]com - Angler EK
• 95.211.230[.]75 port 80 - ijyminllbfsuice46[.]com - Bedep post-infection traffic
• 162.244.33[.]102 port 80 - tebemqyscaglxtb[.]com - Bedep post-infection traffic
• 94.242.198[.]218 port 80 - will.merchantprospect[.]com - Bedep post-infection traffic
• 162.244.34[.]140 port 80 - mouyrate[.]com - Click-fraud traffic begins
• 95.211.202[.]33 port 80 - jerorefest[.]com - Click-fraud traffic begins
• 209.133.193[.]98 port 80 - neoplanset[.]com - Click-fraud traffic begins
• 46.45.137[.]77 port 80 - gregsomebore[.]com - Click-fraud traffic begins
• 162.244.34[.]39 port 80 - jertadopoeremo[.]com - Click-fraud traffic begins

 

ANGLER EK:

• 2015-06-15 14:29:21 UTC - pyhnen.mistresseve[.]com - GET /search?ayjz=ellhh&h6abl=ae&hbkyv=h&e2=z&wmh=9l5vs&gi=986&xfuwt=p0vei&alw=l&1vv=u&4c78q=l
• 2015-06-15 14:29:23 UTC - pyhnen.mistresseve[.]com - GET /playoner.asr?vbscrip=Y8uW&three=&cppbin=OgTq&six=&five=QR6yHfd-t3&four=n1Lrui1&
  aspface=erO5938Fg5O11o4ol8Gr4By
• 2015-06-15 14:29:26 UTC - pyhnen.mistresseve[.]com - GET /nine.webarchive?six=&nine=eHi&jspage=&eight=2KSYcoBpSe&three=mmFin8h955&
  aspface=&vbscrip=OfUKO9&ten=OJbvBD&pycharm=R2M&four=B0wF&two=a-qlxv

 

POST-INFECTION TRAFFIC (BEDEP):

• 2015-06-15 14:29:40 UTC - www.earthtools[.]org - GET /timezone-1.1/-28.37670/57.12234
• 2015-06-15 14:29:41 UTC - www.ecb.europa[.]eu - GET /stats/eurofxref/eurofxref-hist-90d.xml?cf1132c904c52895cda76fa365265de4
• 2015-06-15 14:29:43 UTC - ijyminllbfsuice46[.]com - POST /blog.php
• 2015-06-15 14:29:44 UTC - tebemqyscaglxtb[.]com - POST /asset.php
• 2015-06-15 14:29:46 UTC - tebemqyscaglxtb[.]com - POST /include/database_error_message.html
• 2015-06-15 14:30:01 UTC - will.merchantprospect[.]com - POST /news.php
• 2015-06-15 14:30:09 UTC - tebemqyscaglxtb[.]com - POST /memberlist.php
• 2015-06-15 14:31:19 UTC - tebemqyscaglxtb[.]com - POST /index.php
• 2015-06-15 14:31:20 UTC - tebemqyscaglxtb[.]com - POST /include/class_blog_entry.php

 

CLICK-FRAUD TRAFFIC BEGINS:

• 2015-06-15 14:32:33 UTC - mouyrate[.]com - GET /ads.php?sid=1923
• 2015-06-15 14:32:33 UTC - jerorefest[.]com - GET /ads.php?sid=1923
• 2015-06-15 14:32:33 UTC - neoplanset[.]com - GET /ads.php?sid=1923
• 2015-06-15 14:32:34 UTC - gregsomebore[.]com - GET /ads.php?sid=1923
• 2015-06-15 14:32:34 UTC - jertadopoeremo[.]com - GET /ads.php?sid=1923
• 2015-06-15 14:32:49 UTC - jertadopoeremo[.]com - GET /ads.php?sid=1923
• 2015-06-15 14:32:50 UTC - mouyrate[.]com - GET /ads.php?sid=1923
• 2015-06-15 14:32:51 UTC - neoplanset[.]com - GET /j.php?s=1a4468a7b2a7027e87fb8029e73f7951
• 2015-06-15 14:32:52 UTC - jerorefest[.]com - GET /ads.php?sid=1923
• 2015-06-15 14:32:52 UTC - neoplanset[.]com - GET /ads.php?sid=1923

 

MALWARE

FILE FROM INFECTED HOST:

• C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\twain_32.dll

 

ASSOCIATED REGISTRY KEYS:

• HKEY_CLASSES_ROOT\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}\InprocServer32
• HKEY_CURRENT_USER\Software\Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}\InprocServer32
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}\InprocServer32
• HKEY_USERS\S-1-5-21-970660591-2671040492-1938035795-1000\Sofware\Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}\InprocServer32
• HKEY_USERS\S-1-5-21-970660591-2671040492-1938035795-1000_Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}\InprocServer32

 

Click here to return to the main page.